25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Cooper Health System Data Breach Affects Almost 60,000 Individuals

Posted By on May 26, 2025

Data breaches have been reported by the Cooper Health System in New Jersey, Union County Children and Youth Services in Pennsylvania, Balance Autism in Iowa, and the Carpenter Health Network in Louisiana.

The Cooper Health System, New Jersey

The Cooper Health System in New Jersey has recently notified the Maine Attorney General about a security breach that potentially involved unauthorized access to the personal and protected health information of up to 57,412 individuals. Cooper Health System said unusual network activity was identified on May 14, 2024; however, there was no disruption to system access. Third-party cybersecurity experts were engaged to investigate the network activity and confirmed that an unauthorized third party had access to certain systems and may have exfiltrated sensitive data.

The file review was completed on or around March 26, 2025, and confirmed that the compromised information included names and Social Security numbers. Additional security measures have been implemented to strengthen system security, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

Union County Children and Youth Services, Pennsylvania

Union County in Pennsylvania has fallen victim to a ransomware attack. The ransomware attack was detected on March 13, 2025, and the forensic investigation determined on March 17, 2025, that the ransomware group had exfiltrated files from its network. The stolen data mostly related to individuals involved with County law enforcement, court-related matters, and/or other County business, although individuals who received services from the Department of Children and Youth Services also had data stolen in the incident.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The investigation into the attack is ongoing, and it has yet to be determined how many individuals have been affected and the types of data involved. County officials have confirmed that names, Social Security numbers, and driver’s license numbers were stolen. Union County is deploying additional security tools to enhance the detection of security incidents and accelerate incident response, and is strengthening restrictions for external network access. The data breach has been reported to the HHS’ Office for Civil Rights as affecting at least 501 individuals. The total will be updated when the file review is concluded.

Balance Autism, Iowa

Balance Autism in Altoona, Iowa, identified unauthorized access to certain network systems on or around March 17, 2025. Assisted by forensics specialists, it was determined that an unauthorized third party had access to those systems between March 11, 2025, and March 17, 2025, during which time files were copied. A time-intensive review of those files was completed on or around May 5, 2025, and determined that they contained sensitive client information, including names, dates of birth, Social Security numbers, health insurance information, and Medicaid numbers. Notification letters have been issued to the 1,281 affected individuals, who have been advised to remain vigilant against identity theft and fraud. Individuals who had their Social Security numbers compromised in the incident have been offered complimentary credit monitoring services.

The Carpenter Health Network, Louisiana

The Carpenter Health Network, a provider of skilled nursing, rehabilitation, and home health care services in Louisiana, has notified 878 individuals that some of their protected health information was obtained by an unauthorized individual in a recent network security incident. The intrusion was identified on February 28, 2028, and on March 5, 2025, it was determined that the unauthorized access occurred between February 4, 2025, and February 28, 2025.

The stolen files contained names, phone numbers, postal addresses, dates of birth, Social Security numbers, diagnoses/conditions, treatment information, physician names, medical record numbers, and health insurance information. Complimentary credit monitoring and identity protection services have been offered to the affected individuals, and steps have been taken to improve system security.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist